Mass Compromise/Point Of Compromise Analytic Detection And Compromised Card Portfolio Management System

ABSTRACT

A system and method for managing mass compromise of financial transaction devices is disclosed. A method includes maintaining a summary of a transaction history for a financial transaction device, and forming a device history profile based on the transaction history, the device history profile including predictive variables indicative of fraud associated with the financial transaction device. A method further includes generating a fraud score based on the predictive variables, the fraud score representing a likelihood that the financial transaction device is compromised will be used fraudulently.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation and claims the benefit of priorityunder 35 U.S.C. §120 of U.S. patent application Ser. No. 11/475,722,filed Jun. 26, 2006, entitled “MASS COMPROMISE/POINT OF COMPROMISEANALYTIC DETECTION AND COMPROMISED CARD PORTFOLIO MANAGEMENT SYSTEM”,which claims priority under 35 U.S.C. §119 to U.S. ProvisionalApplication Ser. No. 60/693,728, filed Jun. 24, 2005, entitled “MASSCOMPROMISE/POINT OF COMPROMISE ANALYTIC DETECTION AND COMPROMISED CARDPORTFOLIO MANAGEMENT SYSTEM”, which the disclosure of which isincorporated herein by reference.

BACKGROUND

Modern economies increasingly depend on a variety of user devices thatfacilitate financial transactions, or the exchange of legal tender forgoods or services. Prominent among these devices are credit cards anddebit cards. These cards include numerical information such as anaccount number representing a user's credit or banking account, as wellas textual information that may indicate, as an example, the identity ofthe user, the identity of the creditor or banker entity. Other devicesused for facilitating financial transactions include wireless handhelddevices, which may store such numerical and textual information in thedevice's memory, and transmit such information at the point of sale toexecute the financial transaction.

A problem with the above financial transaction devices is that theirnumerical and/or textual information may be easily compromised, that is,easily obtained by an unauthorized third party (i.e. fraudsters). Oncecompromised, the third party may execute a number of unauthorized andhighly damaging financial transactions, and often go undetected for along period of time. Further damaging is that often financial devicesare compromised in mass leading to mistrust in the financial network andhuge financial losses for the financial institutions that utilize thesedevices.

SUMMARY

This document discloses a financial transaction device management systemand method. In some implementations, a system and method are employedfor predicting or detecting, and then managing the mass compromise offinancial' transaction devices to prevent continued fraud.

In one aspect, a computer-implemented method includes maintaining asummary of a transaction history for a financial transaction device, andforming a device history profile based on the transaction history, thedevice history profile including predictive variables indicative offraud associated with the financial transaction device. The methodfurther includes generating a fraud score based on the predictivevariables, the fraud score representing a likelihood that the financialtransaction device is compromised and will be used fraudulently.

In another aspect, a computer-implemented method includes the steps offorming a device profile associated with a financial transaction deviceand based on a transaction history, the device profile includingpredictive variables that are indicative of a fraud. The method furtherincludes the steps of generating a fraud score based on the predictivevariables, the fraud score representing a likelihood that the financialtransaction device is compromised, and based on predictive variables,determining whether the financial transaction device will be usedfraudulently in the near future.

In yet another aspect, a system for managing compromise of financialtransaction devices includes a transaction history for a financialtransaction device, and a compromise device global profile associatedwith the transaction history, the device global profile includingpredictive variables indicative of fraud. The system further includes afraud score based on the predictive variables, the fraud scorerepresenting a likelihood the financial transaction device iscompromised will be used fraudulently.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects will now be described in detail with referenceto the following drawings.

FIG. 1 is a representation of a card profile.

FIG. 2 is a representation of a card global profile.

FIG. 3 is a representation of a merchant profile.

FIG. 4 is a representation of a merchant global profile.

FIG. 5 is a representation of a compromise cluster profile.

FIG. 6A-6C depict an updated two-way linked list with sequentialtransactions at the same merchant on the same date.

FIG. 6D-6E depict profile manipulations to repair a two-way linked listbetween cards used with the same merchant on the same date when atransaction is aged off the transaction history for an exemplary card#121321.

DETAILED DESCRIPTION

This document describes a system for detecting and managing compromisesof financial transaction devices, including credit cards, debit cards,wireless transmission devices, or other devices (herein referred togenerally as “cards”), embodied as a real-time mass compromise/pointcompromise detection and compromised card portfolio management systemand method. In addition to detecting potential mass compromise/point ofcompromise, the system and method are configured to monitor fraudactivity of a compromised card cluster to produce compromise fraudscores at the cluster and/or card level which indicates the probabilityof the compromised card to be used fraudulently.

In some variations, the system and method include a globally nested,two-way linked-list system that allows for accurate determination ofcompromises and provides the appropriate linked lists to associatecompromised cards with the compromise. The system or method utilizescomplex profile management techniques to update and maintain the two-waylinked lists in real-time, and to spontaneously create compromiseportfolio card clusters and monitor the activity of the compromisedcards in analytic-generated compromise portfolios. In some particularimplementations, the system or method includes a real-time scoringarchitecture producing scores at the card-level, merchant-level, andcompromise portfolio level. The real-time scoring architecture isconfigured to detect the mass compromise/point of compromise, and acompromise card score is computed to manage the associated compromisedcard portfolios.

The system and method, as described in its various alternatives below,detects mass compromise and point of compromise through pre-fraudpatterns in time, fraud activity variables, and through intense testingof cards at test sites, creates a compromise portfolio. The system alsomaintains two-way linked lists of cards visiting merchants, and canautonomously repair two-way linked lists as transaction details agewithin the system and/or are discarded from the system after a period oftime.

In some embodiments, the system is configured to automatically spawncompromise portfolio profiles for detailed analytics of the behavior ofthe compromised cards as a group. The system may also be configured togenerate card-level models of suspected counterfeit and CNP/MOTO (CardNot Present/Mail Order—Telephone Order) fraud for those cards associatedwith a compromise cluster and those cards not associated with acompromise cluster. The system may further be configured to generatemerchant-level models of risky behavior and suspected test-siteutilization by fraudsters, and generate compromise portfolio profilesmonitoring the activity (or lack of activity) of the suspected masscompromise or point of compromise to produce a compromise score.

For purposes of this document and in the context of the disclosedembodiments, the term “point of compromise” relates to a specific timeperiod during which a card or set of cards is used and compromised at aparticular merchant. Counterfeit cards created during a point ofcompromise may later be used illegitimately and detected by a frauddetection system. The term “mass compromise” relates to a point in timewhere card information is stolen from a merchant/data aggregator,typically accessed from a database, but the actual date on which thecards are used at a merchant or entered into a financial informationdatabase could be any date prior to the time of mass compromise. Masscompromise cards are typically utilized in CNP/MOTO fraud transactions,since a physical representation of the card, such as information on themagnetic stripe, is not typically obtained.

In accordance with some embodiments, a system or method to detect masscompromise and point of compromise is configured to generate and store atransaction history. The transaction history is stored so that apre-fraud pattern can be computed to detect potential points ofcompromise and mass compromise when a given card is later designated asfraudulent, i.e. detected as fraudulent via one or more models, orreported or confirmed as fraudulent. The transaction history is alsoneeded when a compromise cluster of compromised cards is to beconstructed as based on suspected pre-fraud rate or excessive testing attest sites.

For detecting and managing compromise, the system utilizes fivedifferent types of profiles, described below:

-   -   Card Holder Profile: Keyed by account number, this profile        includes a primary Compromise Card Global Profile Index        (CCGP_index) key to a Compromise Card Global Profile, and        includes predictive variables indicative of CNP/MOTO and        counterfeit fraud.    -   Compromise Card Global Profile: Keyed by the CCGP_index, this        profile includes transaction arrays that maintain a history of        date/times and merchants where the card transacted.    -   Merchant Profile: Keyed by a merchant identifier this profile        includes a primary Compromise Merchant Global Profile Index        (CMGP_index) key to a Compromise Merchant Global Profile and        merchant fraud detection variables and test site detection        variables.    -   Compromise Merchant Global Profile: Keyed by CMGP_index, this        profile includes an array indexed by time that includes a number        of cards, a number of counterfeit and/or fraudulent cards, a        number of CNP/MOTO frauds, and a number of card-level model        suspected fraud cases associated with cards that have transacted        at the merchant in the past.    -   Compromised Portfolio Profile: Includes statistical and analytic        pattern detection variables for the group of cards suspected to        be part of a particular mass compromise or point of compromise.        The portfolio will be monitored for changes in the activity of        cards indicative of increased portfolio risk and allow for        decisions related to reissue or more sensitive monitoring of        cards. This profile monitors all the associated compromised        cards for test-site polling, compromise cluster sequential        transacting, and abnormal clustering of usage across cards in        the cluster.

A skeleton structure of the profiles is described below. The profilesallow for the proper detection of potential compromise, generation ofthe compromise card clusters, and generation of model scores at thecard, merchant, and compromise levels to allow for better monitoring andmanagement of compromised cards.

As exemplified in FIG. 1, a Card Holder Profile 100 is indexed in ashared memory based on an account number in the authorization feed. Thecard holder profile 100 includes a combination of analytic variablespointing to suspicious CNP/MOTO and suspicious counterfeit behavior, aswell as tag variables that indicate confirmed fraud reported on thecard. The card holder profile 100, in addition to providing card-levelfraud detection, also includes one or more links to the CCGP_index.Using the card holder profile 100, a model fraud score is produced whichindicates whether the card is likely to become a counterfeit or CNP/MOTOfraud based on the card-level variables and compromise cluster variables(if available). If the card is determined to be associated with a masscompromise or point of compromise, then the card-level fraud score willincorporate behavior associated with a Compromise Cluster(s) index(CC_index).

As exemplified in FIG. 2, a Compromise Card Global Profile is keyed inshared memory based on the CCGP index included in the card holderprofile. Within this profile there is a multi-element array based on:

-   -   CMGP_index (identifies the merchant)        -   Date/Time    -   Previous CCGP_index at the merchant (identifies the previous        card at the merchant)    -   Future CCGP_index at the merchant (identifies the future card at        the merchant)

The previous CCGP_index and Future CCGP_index constitute a two-waylinked list across the cards that transacted at the merchant which areused to create the Compromise Portfolio profile if a compromise isdetected.

If the card is determined to be fraudulent, either through card-levelfraud models within the system or through fraud reporting, the array ofthe card's transaction history will allow the system to retrieve theprofiles of all visited merchants to indicate the time when the nowfraudulent card was used at the merchant. This generates an accuratepre-fraud pattern which is updated and computed for each of the impactedmerchants.

As exemplified in FIG. 3, the Merchant Profile is indexed based on apredefined merchant key. The profile includes a link between a physicalMerchantID based on an AUTH transaction and an internally-representedCMGP_index profile. The merchant profile includes merchant-level frauddetection variables.

As shown in FIG. 4, the Compromise Merchant Global Profile is indexed inshared memory based on the CMGP index included in the Merchant Profileand accessed when an AUTH or FRAUD record is received, or when asuspected fraud is detected. In some embodiments, this profile includessix arrays indexed by time. The arrays track a total number of cardsthat transacted at the merchant, a number of confirmed/suspectedcounterfeit cards, a number of confirmed/suspected CNP/MOTO frauds, anamount of testing if the merchant is a test site, and the lastCCGP_index to update the merchant.

Accordingly, based on predictive fraud variables in the merchant profilea score is generated indicative that a merchant during a time period hasbeen compromised or was used in the testing of compromised devices.Further, based on a two-way linked list using the compromise deviceglobal profile, all devices that transacted at that merchant can beassociated with a single compromise cluster profile index. Whensubsequent transactions come in for devices associated with a compromisecluster profile index, the cluster profile is retrieved and predictivefraud variables associated with the multiplicity of cards are updated.

The compromise cluster predictive variables are used to understand theactivity of the compromised devices in the cluster indicative ofpotential aggregate fraudulent activity associated with the multiplicityof compromised devices. When a compromised device receives anauthorization request predictive variables from both the device profileand the compromise cluster will be used to determine a device specificprobability of fraud for each compromised device in the cluster allowingthe compromised devices to be ranked in terms of the probability offuture fraudulent activity occurring on the compromised device.

As exemplified in FIG. 5, the Compromise Portfolio Profile is indexed inthe shared memory according to the Compromise Portfolio index includedin the card profile of the current AUTH being processes. This index isassigned based on a counter of Compromise instances in the shared memoryand cards will be assigned based on using the two-way linked list acrosscard profiles to assign the appropriate Compromise Portfolio index tothe card profiles. Once cards are associated with a compromise cluster,the compromise cluster is retrieved for each transaction associated withany of the cards in the compromise cluster.

The compromise Portfolio generates a score that will determine aseverity of the compromise and the compromised card activity of thesuspected compromise. This model will produce a merchant-levelcompromise score, whereas individual card scores will be produced basedboth on variables in the compromise cluster profile and the cardprofile.

The following describes a model work-flow:

AUTH Feed (Authorization feed)

Initialization: When the auth feed comes into the system, the recordincludes the keys to both the cardholder profile and the merchantprofile. If either the merchant profile or cardholder profile is notcreated, these will be initialized. As part of initialization, a CMGPindex is assigned to the Merchant profile and a CCGP index is assignedto the card profile. The account number and merchant will then beassigned to the similarly created and initialized CCGP and CMGPprofiles, which links the internal keys for card and merchant to thephysical keys derived from the AUTH transaction. The available CCGP andCMGP indexes are incremented by one.

Steady State: Within the Compromise Card Global profile, the firstavailable or oldest (when aging transactions) CMGP index/date-time isreplaced by the CMGP index contained within the Merchant profileassociated with the current AUTH transaction. The CMGP index isdetermined from the Merchant profile that is retrieved based on the AUTHtransaction. If the current AUTH is a first transaction for that card atthe merchant on a particular date, then the card count on that date willbe incremented. The transaction is stored in the card-level globalprofile and the Merchant global profile contains a history of the uniquenumber of cards and their subsequent activity after they transacted onthat date.

Any suspicious variables at the cardholder and merchant profile will beupdated, and if the behavior is deemed suspicious, then a suspectedfraud notification is produced

Suspected Fraud Notification or Confirmed Fraud Notification

Steady State: When a suspected fraud is determined or when a confirmedfraud notification is reported to the system, the account number in thefraud record (if a suspected fraud is determined the correct cardholderprofile will already be loaded) is used to access the cardholderprofile, and consequently the CCGP profile. If the card is determined tobe counterfeit or CNP/MOTO fraud, then the merchant transaction history(indexed by CMGPs) included in the CCGP profile is used to update thefraud card count in the associated Compromise Merchant Global Profiles.After all the previously-visited merchants are updated, a pre-fraud ratepattern is computed for each merchant to determine whether there issuspicion of compromise based on a pre-fraud rate and additional frauddetection predictive recursive variables. Determination of points ofcompromise or mass compromise is determined through a variety ofstatistical, distance, and mutual information measures.

Initialization: If a compromise is detected, then the Last CCGP index isused to move through the indexed linked list of CCGP profiles to updatethe card profiles with the associated compromise cluster number. Thecompromise cluster is created and summary statistics are collected onthe linked-list of cards.

When a new transaction comes in for one of the cards associated with thecompromise cluster, then the Compromise Portfolio Profile is retrievedand the compromise portfolio can then be monitored for changes in thecompromised cards portfolio behavior. Additionally, the card-level fraudscores utilize both card-level variables and compromise-level variablesto ascertain the risk of the card being compromised and usedfraudulently.

Maintaining Two-Way Linked Lists

The Compromise detection system makes use of two-way linked lists toallow for the creation of compromise clusters consisting of cardsassociated with the compromise. Two-way linked lists are maintained atthe daily and weekly level. In some exemplary embodiments, the systemcan be configured for six months of daily monitoring and two years ofweekly monitoring.

The properties of these linked lists will now be described withreference to FIGS. 6A-E.

Update Building the Linked List and Moving Back Through the List.

As illustrated in FIG. 6A, when the first transaction for amerchant/date is updated there is no previous transaction at themerchant so the Last CCGP_index is set to NONE. The Future CCGP_index isnot yet known so it is also marked as NONE.

As illustrated in FIG. 6B, when the second transaction for amerchant/date is updated, then the Future CCGP_index can be updated inthe previous card profile. The last CCGP_index in the profile of thecard associated with the current transaction is set the previous cardnumber. FIG. 6C illustrates a third transaction.

If a compromise occurred at Merchant #34138 the entry in the lastCCGP_index will be used to access profiles, #88129219, #44312231, and#121321. As we retrieve and work through the linked list, when LASTCCGP_index=NONE the entire linked-list has been processed.

Repair of the Two-Way Linked List

Given that the linked lists are performed at the transaction level, atsome point the transaction may be discarded due to finite transactionstorage for a particular card. In this situation, prior to deletion or“aging off” of the transaction from the transaction history of the card,the linked list needs to be repaired or it will be broken. This isillustrated in FIGS. 6D and 6E, as the future and last CCGP_indexes ofthe card transaction that proceeds and follows the transaction to bedeleted are readjusted.

Some embodiments can be implemented in digital electronic circuitry, orin computer hardware, firmware, software, or in combinations of them.Some embodiments can be implemented as a computer program product, i.e.,a computer program tangibly embodied in an information carrier, e.g., ina machine readable storage device or in a propagated signal, forexecution by, or to control the operation of, data processing apparatus,e.g., a programmable processor, a computer, or multiple computers. Acomputer program can be written in any form of programming language,including compiled or interpreted languages, and it can be deployed inany form, including as a stand alone program or as a module, component,subroutine, or other unit suitable for use in a computing environment. Acomputer program can be deployed to be executed on one computer or onmultiple computers at one site or distributed across multiple sites andinterconnected by a communication network.

Methods can be performed by one or more programmable processorsexecuting a computer program to perform functions of the invention byoperating on input data and generating output. Method can also beperformed by, and apparatus of the invention can be implemented as,special purpose logic circuitry, e.g., an FPGA (field programmable gatearray) or an ASIC (application specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read only memory ora random access memory or both. The essential elements of a computer area processor for executing instructions and one or more memory devicesfor storing instructions and data.

Generally, a computer will also include, or be operatively coupled toreceive data from or transfer data to, or both, one or more mass storagedevices for storing data, e.g., magnetic, magneto optical disks, oroptical disks. Information carriers suitable for embodying computerprogram instructions and data include all forms of non volatile memory,including by way of example semiconductor memory devices, e.g., EPROM,EEPROM, and flash memory devices; magnetic disks, e.g., internal harddisks or removable disks; magneto optical disks; and CD ROM and DVD-ROMdisks. The processor and the memory can be supplemented by, orincorporated in special purpose logic circuitry.

Although a few embodiments have been described in detail above, othermodifications are possible. Other embodiments may be within the scope ofthe following claims.

1. A computer-implemented method comprising: detecting compromised plurality of financial transaction devices; defining a compromise cluster from the compromised plurality of financial transaction devices; forming a device holder profile and a merchant profile for each of the plurality of financial transaction devices that define the compromise cluster, the device holder profile including device-level predictive variables indicative of fraud, and the merchant profile including merchant fraud detection variables indicative of fraud; forming a compromise device global profile based on the compromise cluster and keyed from the device holder profile, the compromise device global profile including transaction arrays based on a transaction history for each of the plurality of financial transaction devices indicative of fraud patterns across and between each of the compromised plurality of financial transaction devices associated with the compromise cluster; forming a compromised portfolio profile indexed with the compromise cluster based on two-way linked lists across device holder profiles, the compromised portfolio profile including compromise-level predictive variable indicative of a severity of the detected compromise; and generating a fraud score based on the compromise-level predictive variables and device-level predictive variables, the fraud score representing a likelihood that any one financial transaction device of the compromise cluster will be used fraudulently based on real-time transaction data related to the one financial transaction device and to the plurality of financial transaction devices of the compromise cluster.
 2. The computer implemented method in accordance with claim 1, wherein the compromise-level predictive variables of the compromise portfolio profile include compromise cluster variables indicative of a mass compromise of the compromised plurality of financial transaction devices.
 3. The computer implemented method in accordance with claim 1, further comprising combining the device-level predictive variables with the compromise cluster variables to determine whether each financial transaction device is associated with the mass compromise and will be used fraudulently.
 4. The computer implemented method in accordance with claim 1, wherein the transaction arrays maintain a history of time and location information where each financial transaction device was used.
 5. The computer implemented method in accordance with claim 1, wherein the merchant profile further includes a merchant identifier associated with the merchant, and a compromise merchant global profile index key to the compromise merchant global profile.
 6. The computer implemented method in accordance with claim 5, wherein the time-indexed arrays include a number of financial transaction devices, a number of fraudulent financial transaction devices, and a number of cases of counterfeit and MOTO fraud devices associated with the merchant.
 7. The computer implemented method in accordance with claim 1, further comprising forming a compromise merchant global profile based on the compromise cluster and keyed from the merchant profile, the compromise merchant global profile including a number of time-indexed arrays comprising a number of financial transaction devices, and fraud cases thereof, that have transacted with the merchant.
 8. The computer implemented method in accordance with claim 7, further comprising detecting, using the compromise merchant global profile, patterns associated with the number of financial transaction devices that previously transacted at the merchant based on pre-fraud patterns that are anomalous and indicative of potential compromise.
 9. A computer program product comprising: a storage medium readable by at least one processor and storing instructions for execution by the at least one processor for: detecting compromised plurality of financial transaction devices; defining a compromise cluster from the compromised plurality of financial transaction devices; forming a device holder profile and a merchant profile for each of the plurality of financial transaction devices that define the compromise cluster, the device holder profile including device-level predictive variables indicative of fraud, and the merchant profile including merchant fraud detection variables indicative of fraud; forming a compromise device global profile based on the compromise cluster and keyed from the device holder profile, the compromise device global profile including transaction arrays based on a transaction history for each of the plurality of financial transaction devices indicative of fraud patterns across and between each of the compromised plurality of financial transaction devices associated with the compromise cluster; forming a compromised portfolio profile indexed with the compromise cluster based on two-way linked lists across device holder profiles, the compromised portfolio profile including compromise-level predictive variable indicative of a severity of the detected compromise; and generating a fraud score based on the compromise-level predictive variables and device-level predictive variables, the fraud score representing a likelihood that any one financial transaction device of the compromise cluster will be used fraudulently based on real-time transaction data related to the one financial transaction device and to the plurality of financial transaction devices of the compromise cluster.
 10. The computer program product in accordance with claim 9, wherein the compromise-level predictive variables of the compromise portfolio profile include compromise cluster variables indicative of a mass compromise of the compromised plurality of financial transaction devices.
 11. The computer program product in accordance with claim 9, the instructions further comprising instructions for combining the device-level predictive variables with the compromise cluster variables to determine whether each financial transaction device is associated with the mass compromise and will be used fraudulently.
 12. The computer program product in accordance with claim 9, wherein the transaction arrays maintain a history of time and location information where each financial transaction device was used.
 13. The computer program product in accordance with claim 9, wherein the merchant profile further includes a merchant identifier associated with the merchant, and a compromise merchant global profile index key to the compromise merchant global profile.
 14. The computer program product in accordance with claim 13, wherein the time-indexed arrays include a number of financial transaction devices, a number of fraudulent financial transaction devices, and a number of cases of counterfeit and MOTO fraud devices associated with the merchant.
 15. The computer program product in accordance with claim 9, the instructions further comprising instructions for forming a compromise merchant global profile based on the compromise cluster and keyed from the merchant profile, the compromise merchant global profile including a number of time-indexed arrays comprising a number of financial transaction devices, and fraud cases thereof, that have transacted with the merchant.
 16. The computer program product in accordance with claim 15, the instructions further comprising instructions for detecting, using the compromise merchant global profile, patterns associated with the number of financial transaction devices that previously transacted at the merchant based on pre-fraud patterns that are anomalous and indicative of potential compromise.
 17. A system for managing compromise of financial transaction devices, each financial transaction device having a transaction history, the system comprising: a computing system maintaining a two-way communication link with a plurality of merchants that use the financial transaction devices, the computing system being configured to execute a plurality of computer programs stored on a storage device, the plurality of computer programs comprising: a first computer program module that defines a compromise cluster from a subset of the financial transaction devices that have been compromised; a second computer program module that generates a compromise device global profile associated with the transaction history, the device global profile including compromise-level predictive variables indicative of fraud patterns across and between each of the plurality of financial transaction devices associated with the compromise cluster, the compromise-level predictive variables comprising compromise cluster variables relating to unique behavior of each of the plurality of financial transaction devices of the compromise cluster, and indicators that at least one of the plurality of financial transaction devices of the compromise cluster are being used fraudulently; a third computer program module that generates a device profile based on a transaction history for each of the plurality of financial transaction devices, the device profile including device-level predictive variables indicative of fraud and device-testing behaviors associated with each financial transaction device, and further generates a compromise device global profile linked with the device profile that includes transaction arrays that maintain a history of date/times and merchants where the financial transaction device transacted; and a fourth computer program module that generates a fraud score based on the compromise-level predictive variables and device-level predictive variables, the fraud score representing a likelihood that any one financial transaction device of the compromise cluster will be used fraudulently based on real-time transaction data related to the one financial transaction device and to the plurality of financial transaction devices of the compromise cluster.
 18. A system in accordance with claim 17, wherein the compromise device global profile includes transaction arrays stored on the storage device that maintain a history of time and location information where the financial transaction device was used.
 19. A system in accordance with claim 18, further comprising a third computer program module that generates a merchant profile, the merchant profile including merchant fraud detection variables indicative of fraud and compromise device testing associated with the merchant.
 20. A system in accordance with claim 19, wherein the merchant profile further includes a merchant identifier associated with the first merchant, and a primary compromise merchant global profile index key to a compromise merchant global profile. 